There are way too many variables to be able to answer that question. I dunno that any two hosts configure mod_security the same way. It would seem, to me, that in 95% (more?) cases it causes no issues at all.

I have read that mod_security causes some issues with WordPress installations. Is it worth the workarounds to have mod_security installed?

Ive been waiting for 10 hours to respond to this thread --

What specifically have you read regarding mod_security affecting installs? And where?

Thats the best place to start before answering too many questions.

Since we dont know what youve read, or where, its hard to tell you if its worth it. What you read might be accidently inaccurate, or purposefully false.

I can say with some assuredness that mod_security is mistakenly blamed for quite a few things on these forums, and ought not to be.

In other words, _generally_ uneducated people speak up without doing their homework first, (as happens everywhere, I fairly need to to add).

---

Now again, This, therefore, is a general reply to your question.

mod_security is worth ANY troubles, and the primary reason why I say is that its flexible, can be "turned off" if any different number of ways, and prevents a whole shedload of malicious things from happening.

Need to turn it off, adjust, etc..:

Add:

SecFilterEngine Off

to any .htaccess.

You obviously already know that .htaccess bits are inherited, so I dont need to explain that you could protect one directory but not another.

I'll assume youve looked over the mod_security website enough that you have a good idea what it does, and prevents. Personally, it's the SQL injection attack and XSS protection that I appreciate the most. A close second being the php remote file include protection.

I use mod_security to its fullest. I have no troubles posting whatever content I want, and have experienced NO issues with installs or upgrades, and I fairly recently just did a server move (both hosts had it available), again, all without a single issue.

as for mod_dosevasive, again, I would need to ask, what, if any, issues, are you having? or are you simply anticipating issues?

mod_dosevasive is pretty straightforward, and if youve ever looked at the output of ps -aux, you know how many procceses Apache can spawn.

For the uninformed, mod_dosevasive fights DOS attacks by blocking an IP thats requesting the same page more than a few times per second, or by blocking an IP thats making more than 50 concurrent requests on the same Apache proccess. It also includes a blacklist, and checks IPs againt that list.

I dont see how mod_dosevasive would cause it's own install issues, unless your hammering the page without fixing whatever other problem(s) might be holding up your install.